Episode 13: In this episode of Critical Thinking - Bug Bounty Podcast we talk about how to determine if a bug bounty program is good or not from the policy page. We also cover some news including Acropalypse, ZDI's Pwn2Own Competition, Node's Request library's SSRF Bypass, and a new scanning tool by JHaddix.
Follow us on twitter at: https://twitter.com/ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker (https://twitter.com/realytcracker) for the awesome intro music!
====== Links ======
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
JHaddix AWSScrape Tool: https://twitter.com/Jhaddix/status/1637140192728612865
Acropalypse Links:
- https://twitter.com/ItsSimonTime/status/1636857478263750656
- https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.html
- https://twitter.com/David3141593/status/1638222624084951040
- https://twitter.com/David3141593/status/1638293029059477505
SSRF Bypass in NodeJS: https://blog.doyensec.com/2023/03/16/ssrf-remediation-bypass.html
ZDI's Pwn2Own: https://twitter.com/thezdi
Kuzu7shiki's Awesome Pixiv Report:
- https://hackerone.com/reports/1861974
- https://twitter.com/kuzu7shiki
Some of the Programs we talk about:
- https://hackerone.com/instacart
- https://hackerone.com/semrush
- https://hackerone.com/yahoo
- https://hackerone.com/paypal
====== Chapters ======
0:00 Intro
0:35 HackerOne World Cup troubles
2:10 News
12:35 ZDI
17:51 How to spot a good program
18:15 Our top programs
24:02 Walk through a real program
27:12 SLA and Efficiency
33:05 Average Bounties
36:00 Bounties paid and reports received in the last 90 days
37:42 Scope
39:48 Anchoring on Mediums
43:24 The gap between the 1st Place and everybody else
53:44 Bounty hunter nice-to-haves
59:45 What to look for when returning to a target
1:03:19 Closing thoughts
